From 8f92bf3a26b971e7287e6052f282adc461598df1 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Fri, 18 Mar 2022 09:56:57 +0100
Subject: [PATCH] Only make PSA HMAC key exportable when NULL or CBC & not EtM
 in build_transforms()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 tests/suites/test_suite_ssl.function | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 4ea0a47ecd..5108b8663f 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -1374,9 +1374,13 @@ static int build_transforms( mbedtls_ssl_transform *t_in,
                              md1, maclen,
                              &t_out->psa_mac_enc ) == PSA_SUCCESS );
 
-        /* mbedtls_ct_hmac() requires the key to be exportable */
-        psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT |
-                                              PSA_KEY_USAGE_VERIFY_HASH );
+        if( cipher_info->mode == MBEDTLS_MODE_STREAM ||
+            etm == MBEDTLS_SSL_ETM_DISABLED )
+            /* mbedtls_ct_hmac() requires the key to be exportable */
+            psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT |
+                                                  PSA_KEY_USAGE_VERIFY_HASH );
+        else
+            psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
 
         CHK( psa_import_key( &attributes,
                              md1, maclen,